def has_delete_permission(self, request, registration=None): """Only give delete permission if the user is an organiser""" if registration is not None and not services.is_organiser( request.member, registration.event ): return False return super().has_delete_permission(request, registration)
def get_object(self): instance = super().get_object() if ( instance.name or instance.member.pk != self.request.member.pk ) and not services.is_organiser(self.request.member, instance.event): raise NotFound() return instance
def can_change_order(member, pizza_event): """ Determine if a certain member can edit orders of an event :param member: Member who wants to change and order :param pizza_event: The event for which we want to change an order :return: True if we can change an order else False """ return (pizza_event and member.has_perm("pizzas.change_order") and is_organiser(member, pizza_event.event))
def perform_update(self, serializer): registration = serializer.instance member = self.request.member if (member and member.has_perm("events.change_registration") and services.is_organiser(member, registration.event)): services.update_registration_by_organiser( registration, self.request.member, serializer.validated_data) services.update_registration(registration=registration, field_values=serializer.field_values()) serializer.information_fields = services.registration_fields( serializer.context["request"], registration=registration)
def __call__(self, request, *args, **kwargs): pizza_event = None if "pk" in kwargs: try: pizza_event = PizzaEvent.objects.get(pk=kwargs.get("pk")) except PizzaEvent.DoesNotExist: pass if pizza_event and services.is_organiser(request.member, pizza_event.event): return self.view_function(request, *args, **kwargs) raise PermissionDenied
def registrations(self, request, pk): """ Defines a custom route for the event's registrations, can filter on registration status if the user is an organiser :param request: the request object :param pk: the primary key of the event :return: the registrations of the event """ event = get_object_or_404(Event, pk=pk) if request.method.lower() == "post": try: registration = services.create_registration( request.member, event) serializer = EventRegistrationSerializer( instance=registration, context={"request": request}) return Response(status=201, data=serializer.data) except RegistrationError as e: raise PermissionDenied(detail=e) status = request.query_params.get("status", None) # Make sure you can only access other registrations when you have # the permissions to do so context = {"request": request} if services.is_organiser(self.request.member, event): queryset = EventRegistration.objects.filter(event=pk) if status == "queued": queryset = EventRegistration.objects.filter( event=pk, date_cancelled=None)[event.max_participants:] elif status == "cancelled": queryset = EventRegistration.objects.filter( event=pk, date_cancelled__not=None) elif status == "registered": queryset = EventRegistration.objects.filter( event=pk, date_cancelled=None)[:event.max_participants] serializer = EventRegistrationAdminListSerializer(queryset, many=True, context=context) else: serializer = EventRegistrationListSerializer( EventRegistration.objects.filter( event=pk, date_cancelled=None)[:event.max_participants], many=True, context=context, ) return Response(serializer.data)
def __call__(self, request, *args, **kwargs): event = None if "pk" in kwargs: try: event = Event.objects.get(pk=kwargs.get("pk")) except Event.DoesNotExist: pass elif "registration" in kwargs: try: event = Event.objects.get( registration__pk=kwargs.get("registration")) except Event.DoesNotExist: pass if event and services.is_organiser(request.member, event): return self.view_function(request, *args, **kwargs) raise PermissionDenied
def perform_update(self, serializer): try: registration = serializer.instance member = self.request.member if (member and member.has_perm("events.change_registration") and services.is_organiser(member, registration.event)): services.update_registration_by_organiser( registration, self.request.member, serializer.validated_data) services.update_registration( registration=registration, field_values=serializer.field_values()) serializer.information_fields = services.registration_fields( serializer.context["request"], registration=registration) except RegistrationError as e: raise PermissionDenied(detail=e) from e except PaymentError as e: raise PermissionDenied(detail=e) from e
def test_is_organiser(self): self.assertFalse(services.is_organiser(AnonymousUser(), self.event)) self.assertFalse(services.is_organiser(self.member, self.event)) self.member.is_superuser = True self.assertTrue(services.is_organiser(self.member, self.event)) self.member.is_superuser = False self._toggle_override_organiser_perm(True) self.assertTrue(services.is_organiser(self.member, self.event)) self._toggle_override_organiser_perm(False) self._toggle_event_change_perm(True) self.assertFalse(services.is_organiser(self.member, self.event)) membership = MemberGroupMembership.objects.create(member=self.member, group=self.committee) self.assertTrue(services.is_organiser(self.member, self.event)) self.assertFalse(services.is_organiser(self.member, None)) self._toggle_event_change_perm(False) membership.delete()
def save_model(self, request, registration, form, change): if not services.is_organiser(request.member, registration.event): raise PermissionDenied return super().save_model(request, registration, form, change)
def has_change_permission(self, request, event=None): """Only allow access to the change form if the user is an organiser""" if event is not None and not services.is_organiser(request.member, event): return False return super().has_change_permission(request, event)
def _is_admin(self, instance): member = self.context["request"].member return services.is_organiser(member, instance)
def has_view_permission(self, request, order=None): """Only give view permission if the user is an organiser""" if order is not None and not is_organiser(request.member, order.pizza_event.event): return False return super().has_view_permission(request, order)
def save_model(self, request, obj, form, change): """You can only save the orders if you have permission""" if not is_organiser(request.member, obj.pizza_event.event): raise PermissionDenied return super().save_model(request, obj, form, change)
def has_delete_permission(self, request, obj=None): """Only allow access to delete if the user is an organiser""" if obj is not None and not services.is_organiser( request.member, obj.event): return False return super().has_delete_permission(request, obj)